中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
gold-price-fetcher
通过京东金融 API 获取实时金价,返回带时间戳的完整信息
Legitimate gold price fetching skill with no malicious behavior - all functionality is documented and API calls target a known financial service.
技能名称gold-price-fetcher
分析耗时24.4s
引擎pi
可以安装
Skill is safe for use. Consider pinning the requests library version for better reproducibility.

安全发现 1 项

严重性 安全发现 位置
低危
Unpinned dependency 供应链
The requests library is used without version pinning, which could lead to compatibility issues if a breaking version is released.
import requests
→ Add a requirements.txt file with 'requests>=2.28.0' or similar to ensure reproducible builds.
 scripts/fetch_gold_price.py
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 scripts/fetch_gold_price.py:38 - requests.get()
文件系统 READ,WRITE READ,WRITE ✓ 一致 scripts/fetch_gold_price.py:35 - os.makedirs(), f.write()
4 项发现
🔗
中危 外部 URL 外部 URL
https://ms.jr.jd.com/gw2/generic/CreatorSer/newh5/m/getFirstRelatedProductInfo
README.md:31
🔗
中危 外部 URL 外部 URL
https://clawhub.ai/import**
发布说明.md:18
🔗
中危 外部 URL 外部 URL
https://clawhub.ai/docs
发布说明.md:71
🔗
中危 外部 URL 外部 URL
https://mirror-cn.clawhub.com
发布说明.md:72

目录结构

4 文件 · 7.0 KB · 302 行
Markdown 3f · 202L Python 1f · 100L
├─ 📁 scripts
│ └─ 🐍 fetch_gold_price.py Python 100L · 2.8 KB
├─ 📝 README.md Markdown 75L · 1.4 KB
├─ 📝 SKILL.md Markdown 50L · 1.1 KB
└─ 📝 发布说明.md Markdown 77L · 1.7 KB

依赖分析 1 项

包名版本来源已知漏洞备注
requests * pip Version not pinned

安全亮点

✓ No shell execution or subprocess usage
✓ No credential harvesting or environment variable access
✓ No base64 encoding or obfuscation
✓ All functionality declared in SKILL.md
✓ Network calls target legitimate JD Finance API
✓ Cache mechanism is documented and transparent
✓ No hidden functionality or shadow behavior
✓ Clean code with proper error handling